Shibboleth and OpenSSL 1.1

[Cantor, Scott]

> Well, xmltooling has grown an openssl1.1 branch upstream and
> https://issues.shibboleth.net/jira/browse/CPPXT-110 is active (though
> not optimistic).

It's making progress. There are no plans to release anything before late 2017 and even that depends on the funding situation and the Board's decision about priorities.

Ultimately, the official timeline I have is "ahead of OpenSSL ending support for 1.0.2", which is 12/31/2019. We have much bigger fish to fry with Spring, Java 8, and other considerations wth the IdP to worry about a library that's supported for 3 more years.

> Since xmltooling depends on xml-security-c and
> https://wiki.shibboleth.net/confluence/display/OpenSAML/XML-Security-C
> mentions OpenSSL 1.1 as a non-issue, I'm somewhat baffled by #828607,
> but it certainly looks genuine.

Santuario does not yet support 1.1, and the Shibboleth Project, as the only maintainers of that code, is forced to fix it as part of dealing with the changes. That work is being done along with the rest of the changes and the patches are probably checked in somewhere or possibly in our Jira, I know Rod sent them to me for review.

>  It also looks easy to solve by the very example advertised at
> https://wiki.openssl.org/index.php/1.1_API_Changes.

The changes aren't hard but they are a lot of work to test. They impact hugely sensitive parts of both libraries and we are taking great pain to avoid breaking things. All of our key management code and some of the algorithm implementations are all using the old key structures because there was no other way to do that work.

Rod's writing a bunch of unit tests, none of which have existed to date, to try and make sure we don't swap a p and q somewhere.

I don't have any plans to rush the Santuario patches into place, but I'll probably get them in sometime next year. I don't know if I'll do a release just for that, but I doubt it.

-- Scott